Did CISPA Actually Get Better Before Passing? Not Really

from the depends-on-how-you-define-"better" dept

Yesterday, after I asserted that CISPA had gotten much worse before it was passed in a rushed vote, I heard from several people (even those in the anti-CISPA camp) who took the opposite position. They feel that, while CISPA is still a highly problematic bill, the Quayle amendment which I roundly criticized actually represented a significant last-minute improvement to the text. I still don't see it that way, for reasons I explain below, but they did make an important point that is worth calling attention to.

Basically, under their reading of the previous text, it allowed the government to use the data for any non-regulatory purpose as long as it has one cybersecurity or national security purpose. I hadn't initially read it that way but I completely agree, and that is indeed a troublesome wild card to hand to the government. The amendment removed the broad "any lawful purpose" language, replacing it with the list of five specific uses (cybersecurity, cyber crime, protecting people from harm, protecting children from exploitation, and national security), thus closing that gaping hole in the bill. In that sense, it's a good amendment.

But, does it really improve CISPA? That depends on how you look at it. CISPA is supposed to be a "cybersecurity" bill, and both its supporters and its opponents in Congress have repeatedly stated that cybersecurity means protecting networks and systems from disruption, hacking and malicious code—primarily coming from overseas. Even during yesterday's debate, virtually every representative who spoke opened with a speech on this topic, and Ruppersberger himself insisted that CISPA's sole purpose was allowing companies and the government to share "formulas, Xs and Os, the virus code". (I'm pretty sure he meant "1s and 0s", but what do you expect from someone who doesn't understand the thing he's trying to legislate?)

Now, critics of the bill have of course been saying all along that it could be used for things way beyond this stated cybersecurity purpose. But the response from supporters has been consistent: no, it can't, and even if it can, it won't be. [Insert another impassioned speech about the cyber-threat from China.] Then, suddenly, only a few minutes before the final vote, the representatives near-unanimously amend CISPA to include these brand new targets of bodily harm and child exploitation, which have nothing to do with cybersecurity and which have rarely if ever been mentioned in relation to the bill.

Basically, the amendment closes a loophole but opens a door. It takes away some of the language that allows overreach of the bill, but then explicitly endorses the exact things people were worried the government would do with that language—as in, start using the data to investigate and build cases against American citizens without regard for the laws that would normally protect their privacy.

Is that an improvement? CISPA would now grant the government less vague power, which is good, but would also grant it brand new specific powers, which is bad and frankly pretty insulting. Because, if this is indeed an improvement and a narrowing of the government's power, how are we to take that if not as a confession that virtually every representative has been baldly lying this whole time? They have said over and over again that they don't want or plan to use the bill for anything except shoring up network security, but we're supposed to see the addition of these brand new applications as limiting CISPA's target? To me, that sounds like they're saying: "Okay, you got us—we really wanted to secretly do all this other stuff. As long as you still let us do that, we'll change the bill."

So the way I see it, there are two ways to look at the Quayle amendment: either it made the bill worse, by massively expanding its stated purpose to whole new areas of the law such that it can no longer accurately be called a "cybersecurity" bill at all, or else it made the bill better by codifying the ways it can be abused for non-cybersecurity purposes.

Of course, it's not as though everyone trusted what supporters were saying about the bill's purpose before. We all knew it would be used for these other things. But simply getting them to admit that is not really progress. It's accurate to say that the amendment has limited the government's power under CISPA by changing the language, but it's also ludicrous to say that turning a cybersecurity/national-security bill into a cybersecurity/cybercrime/violent-crime/child-exploitation/national-security bill at the last minute represents narrowing or improving it. In fact, the only way that's an improvement is if the representatives are admitting that they were planning on it being used for even more unstated purposes all along, but are now content with choosing only a few of the things they have repeatedly denied they wanted. I see how that can be framed as progress, but it's not exactly something that the House deserves any praise for.

Protecting from harm

Attention All:

Subject: Typing may cause Carpal Tunnel, & Arthritis.

Good news my fellow Americans. Science has found that typing can cause Carpal Tunnel & Arthritis. These have been known to harm people of all ages. So in order to keep you safe. The US Government will use CISPA and monitor all use of your electronic devices. To include but not limited to what keys you type, and where the information get sent to. Using this information will not help you in any way. But is the perfect excuse for us to monitor you.

Re:

Yeah - some of the other amendments that passed are pretty good. Another is the clarification that merely violating terms of service doesn't constitute hacking.

However, I still think all that pales in comparison to this amendment, that is essentially a core change to the stated purpose of the bill, and flies in the face of what everyone involved has said CISPA is for.

Re: Xs and Os

Re: Re:

One reason I gave my congressman that I opposed this bill is that it didn't contain safeguards to keep the information from being used to prosecute other types of crimes which were not in any way related to "cybersecurity". Based on the amendment, that was apparently intentional.

Re:

Only if you're a guy. If you're a woman, there's a good chance you're jail bait or someone's Mom. Of course the axiom is that there are no girls on the internet. And that 15 year old is really a 33 year old FBI agent.

There's a political angle to this as well

Of course, "something bad" happens just about every day -- read the "Dataloss" mailing list. So it's not like anything particularly bad would need to turn up, and it's not like it would even have to be something covered by the bill. "Credit card company loses hard drive with 28 million customer accounts" would do just fine, because the computer-illiterate public will have no clue whether this had anything to do with CISPA.

Here's the thing: the worse the bill is, the better it works for this, because the more pressure the President will be under not to sign it. So there is substantial motivation to load the bill up with as many due process violations, as many civil rights issues, and as much wildly unconstitutional language as possible: the idea isn't to get it signed, the idea is to get it vetoed, because then it can serve its purpose.

Oh. One more thing. This is also why the House has studiously avoided asking anyone who has even half a clue about security to testify, and has instead focused on the OMG!OMG!CYBERWAR cheerleaders. There is no way that sanity and expertise can be allowed anywhere near this process because that might accidentally result in a better bill.

Re:

[...] and Ruppersberger himself insisted that CISPA's sole purpose was allowing companies and the government to share "formulas, Xs and Os, the virus code". (I'm pretty sure he meant "1s and 0s", but what do you expect from someone who doesn't understand the thing he's trying to legislate?)

Re: Re:

Re:

1s and 0s are purely symbolic representations, and don't even map to the same voltages across all devices. True, they have become a standard in the industry and it is highly unlikely that a politician understands these basic principles, but understanding the binary nature of computer data is a far cry better than calling the internet a series of tubes.

Now, technically, they should be looking to share the disassembled code, rather than the bit by bit representation. Still, this is at least evidence that they can learn, if it is screamed at them loud enough.

Re: Re: Re:

Re: Re:

Heh - I was thinking afterwards about how, yeah, Xs and Os would work just as well for symbolizing binary information. However, I think it's a stretch to say he understands the binary nature of computer data. When you watch the speech (link is in the comments here if you want to check it out) he clearly just has these things as talking points to some degree - and I think he actually stumbled slightly when he said "formulas" (someone probably explained algorithms/code to him as being kind of like a math formula), and then that put algebra in his brain, which is where the "Xs" came from, which derailed his brain yet again into "Xs and Os" (a tragic blend of algebra's Xs and Ys, binary's 1s and 0s and, um, tic-tac-toe). "The virus code" is the only thing he sounds slightly confident about saying, and I get the impression that the other stuff is how someone tried to explain to him what "virus code" actually is.

Obviously I'm just guessing from looking at the man's face and listening to his voice - but definitely nothing about him radiated "understanding". This doesn't show they can learn if it's screamed at them loud enough, it shows they can't even properly memorize by rote when it's screamed at them loudly.

Just to clarify, when that congressman was talking about Xs and Os he wasn't talking about coding. He was talking about sharing anti-cyber security strategies. Its a term often found in the sport of American Football because players are indicated by Xs and Os in playbooks.

I wouldn't expect a bunch of nerds to understand that. :P I kid, I kid.

Re: Sunsetting

A sunset provision in legislation with effects this deep isn't really aimed at decommissioning -- no one has suggested that the issues addressed by this bill will have faded in five years. Rather, expiration of the legislation will trigger campaign contributions from private firms and industry groups that by then will have integrated its provisions into their business practices. It's all pretty ugly.

Re: Re:

i just love that Mac thornberry, after one minute in the video
talks about cyber security and that it's monitored and destroyed and what-not...does he realize that the very bill is
exactly the same?
That instead of POTENTIAL hackers watching us, we are GUARANTEED to have a FBI agent watching us, while he's whatching the (possibly) non-exsisting hacker that is watching us.
This is a freaky hack-seption, and i don't know if i like the thought that not only hackers can get my identity and/or money, but now the state can too. tThey can also incriminate me without trial, in any country...i'm seriously disturbed by this (I'm just a 16, year old from Sweden, and even I can feel a wind of change comming)

sry for the long post, but i'm happy you took up this issue (would be glad if i could get a response)

Re: Re:

i just love that Mac thornberry, after one minute in the video
talks about cyber security and that it's monitored and destroyed and what-not...does he realize that the very bill is
exactly the same?
That instead of POTENTIAL hackers watching us, we are GUARANTEED to have a FBI agent watching us, while he's whatching the (possibly) non-exsisting hacker that is watching us.
This is a freaky hack-seption, and i don't know if i like the thought that not only hackers can get my identity and/or money, but now the state can too. tThey can also incriminate me without trial, in any country...i'm seriously disturbed by this (I'm just a 16, year old from Sweden, and even I can feel a wind of change comming)

sry for the long post, but i'm happy you took up this issue (would be glad if i could get a response)